v1.128.0rc1

Synapse 1.128.0rc1 (2025-04-01)

Features

• Add an access token introspection cache to make Matrix Authentication Service integration (MSC3861) more efficient. (#18231)
• Add background job to clear unreferenced state groups. (#18254)
• Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. (#18277, #18302, #18296)

Bugfixes

• Add index to sliding sync (MSC4186) membership snapshot table, to fix a performance issue. (#18074)

Updates to the Docker image

• Specify the architecture of installed packages via an APT config option, which is more reliable than appending package names with :{arch}. (#18271)
• Always specify base image debian versions with a build argument. (#18272)
• Allow passing arguments to start_for_complement.sh (to be sent to configure_workers_and_start.py). (#18273)
• Make some improvements to the prefix-log script in the workers image. (#18274)
• Use uv pip to install supervisor in the worker image. (#18275)
• Avoid needing to download & use rsync in a build layer. (#18287)

Improved Documentation

• Fix how to obtain access token and change naming from riot to element (#18225)
• Correct a small typo in the SSO mapping providers documentation. (#18276)
• Add docs for how to clear out the Poetry wheel cache. (#18283)

Internal Changes

• Add a column participant to room_memberships table. (#18068)
• Update Poetry to 2.1.1, including updating the lock file version. (#18251)
• Pin GitHub Actions dependencies by commit hash. (#18255)
• Add DB delta to remove the old state group deletion job. (#18284)

Updates to locked dependencies

• Bump actions/add-to-project from f5473ace9aeee8b97717b281e26980aa5097023f to 280af8ae1f83a494cfad2cb10f02f6d13529caa9. (#18303)
• Bump actions/cache from 4.2.2 to 4.2.3. (#18266)
• Bump actions/download-artifact from 4.2.0 to 4.2.1. (#18268)
• Bump actions/setup-python from 5.4.0 to 5.5.0. (#18298)
• Bump actions/upload-artifact from 4.6.1 to 4.6.2. (#18304)
• Bump authlib from 1.4.1 to 1.5.1. (#18306)
• Bump dawidd6/action-download-artifact from 8 to 9. (#18204)
• Bump jinja2 from 3.1.5 to 3.1.6. (#18223)
• Bump log from 0.4.26 to 0.4.27. (#18267)
• Bump phonenumbers from 8.13.50 to 9.0.2. (#18299)
• Bump pygithub from 2.5.0 to 2.6.1. (#18243)
• Bump pyo3-log from 0.12.1 to 0.12.2. (#18269)

v1.127.1

Synapse 1.127.1 (2025-03-26)

Security

• Fix CVE-2025-30355 / GHSA-v56r-hwv5-mxg6. High severity vulnerability affecting federation. The vulnerability has been exploited in the wild.

v1.127.0

Synapse 1.127.0 (2025-03-25)

No significant changes since 1.127.0rc1.

Synapse 1.127.0rc1 (2025-03-18)

Features

• Update MSC4140 implementation to no longer cancel a user's own delayed state events with an event type & state key that match a more recent state event sent by that user. (#17810)

Improved Documentation

• Fixed a minor typo in the Synapse documentation. Contributed by @karuto12. (#18224)

Internal Changes

• Remove undocumented SYNAPSE_USE_FROZEN_DICTS environment variable. (#18123)
• Fix detection of workflow failures in the release script. (#18211)
• Add caching support to media endpoints. (#18235)

Updates to locked dependencies

• Bump anyhow from 1.0.96 to 1.0.97. (#18201)
• Bump bcrypt from 4.2.1 to 4.3.0. (#18207)
• Bump bytes from 1.10.0 to 1.10.1. (#18227)
• Bump http from 1.2.0 to 1.3.1. (#18245)
• Bump sentry-sdk from 2.19.2 to 2.22.0. (#18205)
• Bump serde from 1.0.218 to 1.0.219. (#18228)
• Bump serde_json from 1.0.139 to 1.0.140. (#18202)
• Bump ulid from 1.2.0 to 1.2.1. (#18246)

v1.127.0rc1

Synapse 1.127.0rc1 (2025-03-18)

Features

• Update MSC4140 implementation to no longer cancel a user's own delayed state events with an event type & state key that match a more recent state event sent by that user. (#17810)

Improved Documentation

• Fixed a minor typo in the Synapse documentation. Contributed by @karuto12. (#18224)

Internal Changes

• Remove undocumented SYNAPSE_USE_FROZEN_DICTS environment variable. (#18123)
• Fix detection of workflow failures in the release script. (#18211)
• Add caching support to media endpoints. (#18235)

Updates to locked dependencies

• Bump anyhow from 1.0.96 to 1.0.97. (#18201)
• Bump bcrypt from 4.2.1 to 4.3.0. (#18207)
• Bump bytes from 1.10.0 to 1.10.1. (#18227)
• Bump http from 1.2.0 to 1.3.1. (#18245)
• Bump sentry-sdk from 2.19.2 to 2.22.0. (#18205)
• Bump serde from 1.0.218 to 1.0.219. (#18228)
• Bump serde_json from 1.0.139 to 1.0.140. (#18202)
• Bump ulid from 1.2.0 to 1.2.1. (#18246)

v1.126.0

Synapse 1.126.0 (2025-03-11)

No significant changes since 1.126.0rc3.

Synapse 1.126.0rc3 (2025-03-07)

Bugfixes

• Revert the background job to clear unreferenced state groups (that was introduced in v1.126.0rc1), due to a suspected issue that causes increased disk usage. (#18222)

Synapse 1.126.0rc2 (2025-03-05)

Administrators using the Debian/Ubuntu packages from packages.matrix.org, please check the relevant section in the upgrade notes as we have recently updated the expiry date on the repository's GPG signing key. The old version of the key will expire on 2025-03-15.

Internal Changes

• Fix wheel building configuration in CI by installing libatomic1. (#18212, #18213)

Synapse 1.126.0rc1 (2025-03-04)

Synapse 1.126.0rc1 was not fully released due to an error in CI.

Features

• Define ratelimit configuration for delayed event management. (#18019)
• Add form_secret_path config option. (#18090)
• Add the --no-secrets-in-config command line option. (#18092)
• Add background job to clear unreferenced state groups. (#18154)
• Add support for specifying/overriding id_token_signing_alg_values_supported for an OpenID identity provider. (#18177)
• Add worker_replication_secret_path config option. (#18191)
• Add support for specifying/overriding redirect_uri in the authorization and token requests against an OpenID identity provider. (#18197)

Bugfixes

• Make sure we advertise registration as disabled when MSC3861 is enabled. (#17661)
• Prevent suspended users from sending encrypted messages. (#18157)
• Cleanup deleted state group references. (#18165)
• Fix MSC4108 QR-code login not working with some reverse-proxy setups. (#18178)
• Support device IDs that can't be represented in a scope when delegating auth to Matrix Authentication Service 0.15.0+. (#18174)

Updates to the Docker image

• Speed up the building of the Docker image. (#18038)

Improved Documentation

• Move incorrectly placed version indicator in User Event Redaction Admin API docs. (#18152)
• Document suspension Admin API. (#18162)

Deprecations and Removals

• Disable room list publication by default. (#18175)

Updates to locked dependencies

• Bump anyhow from 1.0.95 to 1.0.96. (#18187)
• Bump authlib from 1.4.0 to 1.4.1. (#18190)
• Bump click from 8.1.7 to 8.1.8. (#18189)
• Bump log from 0.4.25 to 0.4.26. (#18184)
• Bump pyo3-log from 0.12.0 to 0.12.1. (#18046)
• Bump serde from 1.0.217 to 1.0.218. (#18183)
• Bump serde_json from 1.0.138 to 1.0.139. (#18186)
• Bump sigstore/cosign-installer from 3.8.0 to 3.8.1. (#18185)
• Bump types-psycopg2 from 2.9.21.20241019 to 2.9.21.20250121. (#18188)

v1.126.0rc3

Synapse 1.126.0rc3 (2025-03-07)

Bugfixes

• Revert the background job to clear unreferenced state groups (that was introduced in v1.126.0rc1), due to a suspected issue that causes increased disk usage. (#18222)

v1.126.0rc2

Synapse 1.126.0rc2 (2025-03-05)

Administrators using the Debian/Ubuntu packages from packages.matrix.org, please check
the relevant section in the upgrade notes
as we have recently updated the expiry date on the repository's GPG signing key. The old version of the key will expire on 2025-03-15.

Internal Changes

• Fix wheel building configuration in CI by installing libatomic1. (#18212, #18213)

v1.126.0rc1

Synapse 1.126.0rc1 (2025-03-04)

Administrators using the Debian/Ubuntu packages from packages.matrix.org, please check
the relevant section in the upgrade notes
as we have recently updated the expiry date on the repository's GPG signing key. The old version of the key will expire on 2025-03-15.

Features

• Define ratelimit configuration for delayed event management. (#18019)
• Add form_secret_path config option. (#18090)
• Add the --no-secrets-in-config command line option. (#18092)
• Add background job to clear unreferenced state groups. (#18154)
• Add support for specifying/overriding id_token_signing_alg_values_supported for an OpenID identity provider. (#18177)
• Add worker_replication_secret_path config option. (#18191)
• Add support for specifying/overriding redirect_uri in the authorization and token requests against an OpenID identity provider. (#18197)

Bugfixes

• Make sure we advertise registration as disabled when MSC3861 is enabled. (#17661)
• Prevent suspended users from sending encrypted messages. (#18157)
• Cleanup deleted state group references. (#18165)
• Fix MSC4108 QR-code login not working with some reverse-proxy setups. (#18178)
• Support device IDs that can't be represented in a scope when delegating auth to Matrix Authentication Service 0.15.0+. (#18174)

Updates to the Docker image

• Speed up the building of the Docker image. (#18038)

Improved Documentation

• Move incorrectly placed version indicator in User Event Redaction Admin API docs. (#18152)
• Document suspension Admin API. (#18162)

Deprecations and Removals

• Disable room list publication by default. (#18175)

Updates to locked dependencies

• Bump anyhow from 1.0.95 to 1.0.96. (#18187)
• Bump authlib from 1.4.0 to 1.4.1. (#18190)
• Bump click from 8.1.7 to 8.1.8. (#18189)
• Bump log from 0.4.25 to 0.4.26. (#18184)
• Bump pyo3-log from 0.12.0 to 0.12.1. (#18046)
• Bump serde from 1.0.217 to 1.0.218. (#18183)
• Bump serde_json from 1.0.138 to 1.0.139. (#18186)
• Bump sigstore/cosign-installer from 3.8.0 to 3.8.1. (#18185)
• Bump types-psycopg2 from 2.9.21.20241019 to 2.9.21.20250121. (#18188)

v1.125.0

Synapse 1.125.0 (2025-02-25)

No significant changes since 1.125.0rc1.

Synapse 1.125.0rc1 (2025-02-18)

Features

• Add functionality to be able to use multiple values in SSO feature attribute_requirements. (#17949)
• Add experimental config options admin_token_path and client_secret_path for MSC3861. (#18004)
• Add get_current_time_msec() method to the module API for sound time comparisons with Synapse. (#18144)

Bugfixes

• Update the response when a client attempts to add an invalid email address to the user's account from a 500, to a 400 with error text. (#18125)
• Fix user directory search when using a legacy module with a check_username_for_spam callback. Broke in v1.122.0. (#18135)

Updates to the Docker image

• Add SYNAPSE_HTTP_PROXY/SYNAPSE_HTTPS_PROXY/SYNAPSE_NO_PROXY environment variables to pass through specifically to the Synapse process (instead of needing to apply http_proxy/https_proxy/no_proxy globally). (#18158)

Improved Documentation

• Add Oracle Linux 8 and 9 installation instructions. (#17436)
• Document missing server config options (daemonize, print_pidfile, user_agent_suffix, use_frozen_dicts, manhole). (#18122)
• Document consequences of replacing secrets. (#18138)
• Make burst_count field an integer in rc_presence config documentation example. (#18159)

Internal Changes

• Overload DatabasePool.simple_select_one_txn to return non-None when the allow_none parameter is False. (#17616)
• Python 3.8 EOL: compile native extensions with the 3.9 ABI and use typing hints from the standard library. (#17967)
• Add log message when worker lock timeouts get large. (#18124)
• Make it explicit that you can buy an AGPL-alternative commercial license from Element. (#18134)
• Fix the 'Fix linting' GitHub Actions workflow. (#18136)
• Do not log at the exception-level when clients provide empty since token to /sync API. (#18139)
• Reduce database load of user search when using large search terms. (#18172)

Updates to locked dependencies

• Bump bcrypt from 4.2.0 to 4.2.1. (#18127)
• Bump bytes from 1.9.0 to 1.10.0. (#18149)
• Bump gitpython from 3.1.43 to 3.1.44. (#18128)
• Bump hiredis from 3.0.0 to 3.1.0. (#18169)
• Bump serde_json from 1.0.137 to 1.0.138. (#18129)
• Bump service-identity from 24.1.0 to 24.2.0. (#18171)
• Bump sigstore/cosign-installer from 3.7.0 to 3.8.0. (#18147)
• Bump twine from 6.0.1 to 6.1.0. (#18170)
• Bump types-pyyaml from 6.0.12.20240917 to 6.0.12.20241230. (#18097)
• Bump ulid from 1.1.4 to 1.2.0. (#18148)

v1.125.0rc1

Synapse 1.125.0rc1 (2025-02-18)

Features

• Add functionality to be able to use multiple values in SSO feature attribute_requirements. (#17949)
• Add experimental config options admin_token_path and client_secret_path for MSC3861. (#18004)
• Add get_current_time_msec() method to the module API for sound time comparisons with Synapse. (#18144)

Bugfixes

• Update the response when a client attempts to add an invalid email address to the user's account from a 500, to a 400 with error text. (#18125)
• Fix user directory search when using a legacy module with a check_username_for_spam callback. Broke in v1.122.0. (#18135)

Updates to the Docker image

• Add SYNAPSE_HTTP_PROXY/SYNAPSE_HTTPS_PROXY/SYNAPSE_NO_PROXY environment variables to pass through specifically to the Synapse process (instead of needing to apply http_proxy/https_proxy/no_proxy globally). (#18158)

Improved Documentation

• Add Oracle Linux 8 and 9 installation instructions. (#17436)
• Document missing server config options (daemonize, print_pidfile, user_agent_suffix, use_frozen_dicts, manhole). (#18122)
• Document consequences of replacing secrets. (#18138)
• Make burst_count field an integer in rc_presence config documentation example. (#18159)

Internal Changes

• Overload DatabasePool.simple_select_one_txn to return non-None when the allow_none parameter is False. (#17616)
• Python 3.8 EOL: compile native extensions with the 3.9 ABI and use typing hints from the standard library. (#17967)
• Add log message when worker lock timeouts get large. (#18124)
• Make it explicit that you can buy an AGPL-alternative commercial license from Element. (#18134)
• Fix the 'Fix linting' GitHub Actions workflow. (#18136)
• Do not log at the exception-level when clients provide empty since token to /sync API. (#18139)
• Reduce database load of user search when using large search terms. (#18172)

Updates to locked dependencies

• Bump bcrypt from 4.2.0 to 4.2.1. (#18127)
• Bump bytes from 1.9.0 to 1.10.0. (#18149)
• Bump gitpython from 3.1.43 to 3.1.44. (#18128)
• Bump hiredis from 3.0.0 to 3.1.0. (#18169)
• Bump serde_json from 1.0.137 to 1.0.138. (#18129)
• Bump service-identity from 24.1.0 to 24.2.0. (#18171)
• Bump sigstore/cosign-installer from 3.7.0 to 3.8.0. (#18147)
• Bump twine from 6.0.1 to 6.1.0. (#18170)
• Bump types-pyyaml from 6.0.12.20240917 to 6.0.12.20241230. (#18097)
• Bump ulid from 1.1.4 to 1.2.0. (#18148)